#!/bin/bash
# Script to apply UFW rules incrementally with regex matching for `ufw status verbose` output

# Fetch the current UFW status once and store it
CURRENT_UFW_STATUS=$(ufw status verbose)

# Function to check and apply a rule with regex for forward rules
apply_rule() {
    local rule="$1"
    local rule_type="$2" # "IN" for incoming, "FWD" for forwarded (route) rules
    local ip_address="$3"

    # Construct the regex pattern based on rule type
    local regex_pattern
    if [ "$rule_type" == "FWD" ]; then
        regex_pattern="ALLOW FWD\\s+$ip_address"
    else
        regex_pattern="ALLOW IN\\s+$ip_address"
    fi

    # Use grep with -P for Perl-compatible regex, and -q to quietly check for a match
    if echo "$CURRENT_UFW_STATUS" | grep -Pq -- "$regex_pattern"; then
        echo "Rule already exists: $regex_pattern"
    else
        echo "Applying rule: $rule"
        ufw $rule
    fi
}

# Apply rules
# Example for direct allow rules
apply_rule "allow 22" "IN" "22" # IP address parameter is not used for this rule

# Example for forwarded (route) rules
{% for host in hetzner_hosts %}
apply_rule "allow from {{ host }}" "IN" "{{ host }}"
apply_rule "route allow from {{ host }}" "FWD" "{{ host }}"
{% endfor %}

{% for host in do_hosts %}
apply_rule "allow from {{ host }}" "IN" "{{ host }}"
apply_rule "route allow from {{ host }}" "FWD" "{{ host }}"
{% endfor %}

# Allow traffic on docker0 interface
apply_rule "allow in on docker0" "IN" "docker0"
apply_rule "allow out on docker0" "IN" "docker0"
